Defining Master Index Data Manager Security

Oracle Java CAPS Master Index supports security for the Master Index Data Manager
(MIDM) at the user and function level and also supports Secure Sockets Layer
(SSL) authentication. Security is defined at two levels, the EJB level and the
presentation level. EJB security provides access at the user and function level to
the methods of the master controller (com.sun.mdm.index.ejb.master). Presentation level security provides access at the
function and user level for the actions that can be performed from the
MIDM.

A secure user name and password needs to be defined for each master index
application user to connect to the database and to log on to the
MIDM. For each user account you define, you must specify one or more
roles in order for that user to be able to perform any
functions in the MIDM. You define roles in midm-security.xml in the master index project.
This is the presentation layer security. In addition, each user must also be
assigned at least one EJB security role. EJB security roles are defined in
security.xml. A default role that grant access to all functions of the master
controller is predefined, but is not included in the file. The role is
named MasterIndex.Admin.

User permissions for master index applications are granted using the Admin Console. You
can also define security using a Lightweight Directory Access Protocol (LDAP) server, using the
roles you define in Define Master Index Data Manager User Roles.

Perform the following tasks to configure security for the master index application:

Define Master Index Data Manager User Roles

Oracle Java CAPS Master Index provides sample user roles for giving multiple permissions
to a user at one time. You can define additional user roles and
assign combinations of access permissions to each role. This way you can assign
a user account to one or two user roles instead of assigning them
several access permissions.

To Define a User Role

In the NetBeans Project window, expand the master index project and then expand
Configuration.

Define EJB User Roles

EJB user roles control access at the master controller level. Oracle Java
CAPS Master Index provides a sample role for granting multiple permissions at one
time without giving access to all functions. An additional role is predefined, MasterIndex.Admin, that
provides access to all functions. You can define additional roles and assign combinations
of functional permissions to each role. This way you can assign a user
account to one or two roles instead of assigning them several permissions.

Note - This step is optional. You can use the MasterIndex.Admin role for MIDM users
if you only need to restrict access at the presentation level.

To Define an EJB User Role

In the NetBeans Projects window, expand the master index project and then expand
Configuration.

Create Master Index Data Manager User Accounts

You create user accounts for MIDM access using the GlassFish Admin Console.

Tip - Make sure you give users access to the initial page that appears when
a user logs in to the MIDM. This page is defined in
midm.xml. Also verify that the EJB privileges you assign allow the user to
perform all of the MIDM functions to which they have access.

To Create a User Account

Before You Begin

Make sure you have created all the user roles and, optionally, EJB user
roles that need to be assigned to the user account.

Log on to the GlassFish Admin Console.

In the left portion of the page, expand Configuration, expand Security, and then
expand Realms.

Select File.

On the Edit Realm page, select Manage Users.

On the File Users page, select New.

In the User ID field, enter a name for the user.

In the Group List field, enter the following. Separate roles with a comma.

After you have added all required user roles and EJB user roles, enter
a password for the user in the New Password field.

In the Confirm New Password field, enter the password again.

Click OK.

Master Index Data Manager User Role Properties

You can define user roles for the MIDM in order to assign
multiple security permissions to a user account at once. Roles are defined in
an XML file, midm-security.xml. The following table describes the elements of the security configuration
file.

Table 1 MIDM User Role Configuration Elements

Element

Description

role

A definition for one user role. Each role element contains a name
for the user role, a list of security permissions, and, optionally, a user
role from which permissions are inherited along with any exceptions to the inheritance.

role-name

The
name of the user role, such as Administrator.

inheritance

A definition of how permissions
are inherited from another user role. The definition includes the parent user role
and any permissions that should not be inherited. This group of elements is
optional, and a role can inherit from multiple user roles.

Note - The role from which
permissions are inherited must be defined earlier in the XML file than the
role that inherits the permissions.

inherits-from

The name of the user role from which
the current role inherits permissions. If permissions are added to this user role
at any time, the new permissions are also inherited by the current role.

excluded-operations

A
list of permissions assigned to the parent role that the current role should
not have access to. Any permissions assigned to the parent role that are
not listed here are assigned to the current role.

Note - If a role inherits
from multiple parent roles and each parent is assigned an excluded permission, you
need to specify that the permission be excluded for each parent role.

Gives access permission to the reports page. This permission is
needed in order to run any of the production or activity reports.

SO_Activate

Gives access
permission to reactivate a deactivated system record.

SO_Add

Gives access permission to add system
records.

SO_Compare

Gives access permission to compare system records.

SO_Edit

Gives access permission to modify system
records.

SO_Deactivate

Gives access permission to deactivate system records.

SO_Merge

Gives access permission to merge system
records.

SO_Print

Gives access permission to print the results of a system record search.

SO_Remove

Gives
access permission to delete system records.

SO_SearchView

Gives access permission to search for and
view system records.

SO_Unmerge

Gives access permission to unmerge system records.

TransLog_Print

Gives permission to print
the results of a transaction history search.

TransLog_SearchView

Gives access permission to search for
and view the transaction history of enterprise records and to view merged records.

EJB User Role Properties

You can define access roles for the EJB layer in order to
assign multiple security permissions to a user or web client at once. EJB
roles can be used to secure MIDM users and other clients accessing the
master index application, such as web services. Roles are defined in an XML
file, security.xml. The following table describes the elements of the security configuration file. The
default user, MasterIndex.Admin, is not defined in this file, but it gives access
to all functions.

Table 3 EJB User Role Configuration Elements

Element

Description

ejbSecurity

An indicator of whether EJB security is enabled. Enter ON
to enable web service security; enter OFF to disable web service security.

role

A definition for
one EJB user role. Each role element contains a name for the user
role and a list of security permissions.

role-name

The name of the EJB user
role, such as DataProcessor.

operation

A list of master controller functions to assign to
the user role.

name

The name of a master controller function to add
to the current user role. Functions are listed under EJB Security Functions.

EJB Security Functions

The following table lists and describes each security function in the master controller.
The permission names are case-sensitive. For more information about these functions, see the
Javadocs provided with Oracle Java CAPS Master Index. These functions are defined in
com.sun.mdm.index.ejb.master.MasterController.

Table 4 EJB Security Functions and Descriptions

User Permission

Description

activateEnterpriseObject

Gives access permission to change the status of a deactivated enterprise object
back to active.

activateSystemObject

Gives access permission to change the status of a deactivated system
object back to active.

addSystemObject

Give access permission to add a system object to
an enterprise object.

calculatePotentialDuplicates

Gives access permission to calculate potential duplicates for a transaction.

calculateSBR

Gives access permission
to calculate a new single best record (SBR) for an enterprise object that
has been updated.

createEnterpriseObject

Gives access permission to create a new enterprise object in the
master index application.

deactivateEnterpriseObject

Gives access permission to change the status of an enterprise object
to inactive.

deactivateSystemObject

Gives access permission to change the status of a system object to
inactive.

deleteSystemObject

Gives access permission to delete a system object from an enterprise object.

executeMatch

Gives access
permission to process a system object using the standardization and matching logic defined
for the master index application.

executeMatchDupRecalc

Gives access permission to process a system object
using the standardization and matching logic defined for the master index application and allows
you to defer potential duplicate processing.

executeMatchGui

Gives access permission to process a system
object using the standardization and matching logic defined for the master index application.

executeMatchUpdate

Gives
access permission to process a system object using the standardization and matching logic
defined for the master index application.

executeMatchUpdateDupRecalc

Gives access permission to process a
system object using the standardization and matching logic defined for the master index
application and allows you to defer potential duplicate processing.

getConfigurationValue

Gives access permission to retrieve
the configuration of a master controller parameter.

getDatabaseStatus

Give access permission to retrieve the status
of the master index database.

getEnterpriseObject

Gives access permission to retrieve an enterprise object.

getEUID

Gives access
permission to retrieve the EUID associated with a system and local ID.

getMergeHistory

Gives access
permission to retrieve a tree structure of the merge transactions associated with a
specific enterprise object.

getRevisionNumber

Gives access permission to retrieve the SBR revision number for an
enterprise object.

getSBR

Gives access permission to retrieve the SBR for an enterprise object.

getSystemObject

Gives access
permission to retrieve a system object based on the system and local ID
information.

insertAuditLog

Gives access permission to add an audit log record to the master index
database.

lookupAssumedMatches

Gives access permission to retrieve a list of assumed matches based on the
search criteria specified.

lookupAuditLog

Gives access permission to retrieve an audit log record.

lookupPotentialDuplicates

Gives permission
to retrieve a list of potential duplicate records.

lookupSystemDefinition

Gives permission to retrieve the
attributes of a source system in the master index database.